Menu
After reading this question users warned that this method of encoding html is unsafe
return $('<div/>').html(encodedText).text();
"don't use jQuery.html().text() to decode html entities as it's unsafe because user input should never have access to the DOM "
"I suggest using a safer, more optimized function"
The purpose of this method is to take encoded input i.e Fish & chips and produce unencoded output i.e Fish & Chips
So as I understand it, they claim that for some value of encodedText, that javascript can be executed. I tried to reproduce this setting encodedText to <script>alert(1)</script> and a few other simple attacks and was unable to find any signs of XSS vulnerability.
My question is: is there any demonstrable xss vulnerability in any browser when using $('<div/>').html(encodedText).text()
594
There are plenty of ways of doing it, this is one way with onerror with an image tag.
var x = $("<div/>").html('<img src="X" onerror="alert(\'hi\');" />').text();
console.log(x);<script src="https://ajax.googleapis.com/ajax/libs/jquery/1.11.1/jquery.min.js"></script>
$('<div/>').html('<img onerror="alert(0)" src=invalid>').text()
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
